Sensitive Information Disclosure in ECE by Elastic
CVE-2022-23715

6.5MEDIUM

Key Information:

Vendor: Elastic
Status: Elastic Cloud Enterprise
Vendor: CVE Published:; 25 August 2022

Summary

A security flaw exists in Elastic Cloud Enterprise (ECE) prior to version 3.4.0 that can expose sensitive information such as user passwords and Elasticsearch keystore settings in logs like audit logs or deployment logs. This vulnerability primarily affects the PATCH APIs for user management and Elasticsearch keystore management, potentially leading to unauthorized access to sensitive data.

Affected Version(s)

Elastic Cloud Enterprise Versions through 3.4.0

References

https://www.elastic.co/community/security

x_refsource_MISC

https://discuss.elastic.co/t/elastic-cloud-enterprise-3-4...

x_refsource_MISC

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 25, 2022
Vulnerability Reserved
Jan 19, 2022